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PREFACE 


This past year the Aerospace Safety Advisory Panel has focused 
Its attention on the Space Shuttle system, and has augmented its 
traditional on-site inspection approach with the assignment of task 
teams for more detail*.* fact-finding in specific areas of concern. 

This two-fold approach has enabled the Panel to cover a large number 
of tasks in greater depth while continuing to monitor the statue of 
the program as a whole. 

The Panel cannot, of course, review all activities of the pro- 
gram in equal detail. The following sections, which reflect the 
priorities the Panel felt were most deserving of its attention, were 
chosen on the basis of the Importance of those elements, subsystems 
and management systems with respect to crew safety and mission success. 
Each section was written by a different team. The Panel recognizes a 
continuing responsibility for surveilance of Shuttle and will continue 
to submit appropriate reports when each phase of its review is completed. 

Following is a statement of our general conclusions. These con- 
clusions also serve as an Introduction to the task team reports. 
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1.0 (JLNERAL CONCLUSIONS 
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1.0 general conclusions 


This abstract is a prologue to the task team reports which follow 
this section. It begins with a general assessment of the program and 
then identifies those topics the Panel suggests be reviewed by various 
levels of NASA management as part of their continuing oversight of 
program operations. 

I. The Panel is confident, based on the data we have gathered, 
that the Shuttle organization is developing flightworthy hardware and 
software systems. Program management has an adequate understanding 
of the significant ground and flight risks involved. This general 
statement is based on such observations as the following: 

A. PROGRAM STATUS 

The program is progressing as well as can be expected con- 
sidering budget constraints. The majority of subsystems are proceed- 
ing through design, manufacturing and test as planned. However, 
there is no margin in the schedule to accommodate major perturba- 
tions. As in any research and development program, some subsystems 
are encountering problems. This situation is not unusual where new 
technology is applied in new situations. Problems are being aggress- 
ively worked by management and engineering. The Shuttle Main Engine 
and Orbiter Thermal Protection Systems are notable examples. 


3 


i — 



B. TECHNICAL CONSCIENCE 


Program personnel have maintained their enthusiasm for 
raising questions of significance to the performance and safety of 
the Shuttle. There are adequate forums for them to express their 
concerns and judgments to management. The personnel in critical 
positions for decisions affecting flightworthiness and risk assess- 
ment are competent and experienced. 

C. RISK MANAGEMENT 

There is an independent and mature risk management system 
which considers all aspects of safety. The system also assures that 
design, manufacturing and test experience from prior programs is 
formally brought to the attention of people in this program and is 
being applied appropriately. 

D. AGGREGATE RISK 

Aggregate or total risk is difficult to measure. Nothing 
to date indicates the total risk is excessive at this phase of the 
program. The major basis for confidence in the flight hardware and 
software is the Shuttle verification program, since such a program 
certifies that the performance of the actual flight hardware and 
software meets mission requirements. Therefore, these tests are 
especially important, and their results will give a better under- 
standing of the actual capability and limitations of the Shuttle elements. 
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II. The Panel suggests that senior agency management include 
the following areas in their reviews of policy and planning for in- 
formation and control as warranted. 

A. GROUND TEST PROGRAM 

The verification and certification programs and the de- 
cision making system to establish minimum test requirements to cer- 
tify flightworthiness and safety warrant continued attention. 

Our reasoning is as follows. There is little schedule 
margin, funds or extra test hardware in any of the major test pro- 
grams. If test results do not turn out as expected, management will 
need to reassess its requirements for certification of the flightworthi- 
ness of the elements, adjust the schedule, or accept greater risks. 
Decisions on what are minimum requirements are matters of judgment. 

Such judgments are properly a prerogative and responsibility of pro- 
gram and project management. 

To assure that these judgments continue to be made with 
safety as the top priority, senior management will need to monitor: 

1. The ability to meet minimum requirements where there 
are further reductions or changes in the major test program. 

2. Progress in resolving problems in such critical manu- 
facturing and test areas as the Main Engine nozzle and turbo-machinery, 
and the delivery and independent verification of avionics software. 
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3. The realism of plans and schedules for the remaining 
tests where there are significant problems so that decisions can be 
made early rather than under schedule pressure. 

B. THE APPROACH AND UNDING TEST FLIGHTS (ALT) 

Mission planning and vehicle checkout for the flight pro- 
gram have begun and will peak out this coming fiscal year. 

The areas that warrant review now are: 

1. The data required from ALT to support a flight readi- 
ness decision on the first orbital flights and therefore the current 
policy on mission planning to obtain this data. 

2. The aggregate risk inherent in the "first flight" plan 
to assure it remains at an acceptable level. The ALT safety assess- 
ment document appears to be a good starting point for such a review. 

3. The basis for confidence that the structural capability 
of the 747 tail section will not be overloaded during tailcone off 
flights and that vibrations will not exceed crew tolerance. 

4. The test requirements and plans to give confidence 
that the landing gear will deploy and lock as required. 

5. The plan to have adequate Ground Support Equipment at 
the proper place to support the ALT program. 

6. The flight software requirements so there is an identical 
flight profile for autoland and manual modes. 
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7. The provision to allow the crew to adjust the gain of 
the control system. 

III. The Panel suggests that the Office of Space Flight give 
particular attention in its reviews to the following management areas. 

A. AVIONICS 

The effectiveness of recent changes in the avionics manage- 
ment approach and the need for a software expert in the Technical 
Assessment Office as an independent advisor and check and balance. 

Among the challenges they face are potential overloading of software, 
timeliness of deliveries, and the adequacy of independent verification. 
Independent verification of software in flight configuration is con- 
sidered to be very important. Fixes in hardware need to be assessed 
for their impact on software. Potential rearrangement of core memory 
by lightning or static discharges must be assessed. 

B. SYSTEMS MANAGEMENT FOR CONTINGENCY ABORT PLANNING 

The management system to assure that contingency abort 
analyses are given the proper priority now so that changes, partic- 
ularly in the software, are being made while there is still the cap- 
ability for changes. 

C. SOLID ROCKET BOOSTER 

The total or integrated management plan to assure SRB 
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reliability by appropriate controls during design, manufacturing, 
checkout, recovery and reuse. There are currently plans for the 
various phases but since we are dependent on the extremely high 
degree of reliability of the SRB there has to be both an overall 
plan and an appropriate management system to assure nothing is over- 
looked or "falls through the crack." 

IV. The Panel recommends that program management follow closely 
the following specific technical issues as well as the policy, planning, 
and management areas hientioned above. 

A. EXTERNAL TANK 

The selection of a material and its method of application 
for the external insulation, so that uhe program gets the flight 
performance it needs. 

B. SOLID ROCKET BOOSTER 

The safeguards to protect the auxilliary power unit from 

sea water entering the catalytic bed of the fuel system after splash- 

, * 
down. •:*. 

C. ORBITER THERMAL PROTECTION SYSTEM 

1. The provisions to assure that installation procedures 
and tools will maintain the required gap and step between tiles and 
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so avoid the problem of an early tripping of the boundary layer. 

2. The provisions to adequately protect vehicle openings 
during entry with insulation, while assuring this insulation will 
not obstruct the operation of doors. 

3. The data from further aerodynamic and flight tests 
be utilized to insure selection of proper materials. 

The following Task Team Reports contain the details on all of 
these recommendations as well as additional recommendations not 
listed here. 
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2.0 SYSTEMS MANAGEMENT 


Hon. Willis M. Hawkins 
Mr. Herbert E. Grier 
Hon. Frank C. Di Luzio 
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2.0 SYSTEMS MANAGEMENT 


I. BACKGROUND 

In recognition of the complexity of the Shuttle system and the 
need to have many back-up and fail safe or redundant systems to attain 
a high degree of safety, the Aerospace Safety Advisory Panel has en- 
deavored to understand NASA's approach to systems management and to 
assess the success of these efforts. During the last year the Panel 
has had numerous briefings from major element and systems integration 
managers at NASA Centers and from contractors. The Panel also reviewed 
the management system for contingency and abort planning. Finally, 
the Panel reviewed the NASA Program Office's response to earlier re- 
commendations from the Panel and from the Hawkins Committee* 

II. OBSERVATIONS 

The systems management function exercises oversight of the re- 
quirements for the total flight vehicle and integrates the work on 
the major elements toward meeting these requirements. Thus, "systems 
management" includes both systems integration and the independent 
assessment of the various elements in the program. 

The Panel found that earlier models were not used by the Shuttle 
team because of such factors as complexity, re-usability of major 
components, limited bick-up resources and NASA'S management experience. 
The system management approach is still evolving because it is de- 
signed to be responsive to changing needs. Thus the Panel has had 
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to understand and appreciate the differences in approach before judg- 
ing its effectiveness. In order to know what to expect in terms of 
performance, the Panel tocuoed on the structure and operation of the 
management system and on the circumstances that will continue to 
shape and constrain its evolution. In the recent past the relative 
responsibilities of the propram office and the principal systems con- 
tractors have, been renegotiated so the program office has taken more 
direct responsibility for the definition and implementation of the 
requirements lor systems integration. Since the Systems Integration 
Office at JSC remains comparatively small, it has developed a number 
of mechanisms for getting its work done. One oi the most important 
is the comparatively complex system of fifty panels and working 
groups. These , where needed, are chartered by the Systems Inte- 
gration Office through the Program Manager when more than one project 
element is involved or an inter-disciplinary technical approach is re- 
quired to define requirements and assure they are met. They are stalled 
by the same personnel who are involved at the project level in getting 
the work done. This approach has the advantage of assuring that the 
people who work the systems integration problems are familiar with the 
working details, but 1 t also means that there is a need for an inde- 
pendent assessment function as a check and balance on this approach. 

This was recommended by both the Panel and the Hawkins Committee. The 
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Program Manager instituted such a function this past year. 

A. SYSTEMS INTEGRATION 

Our current observations on systems integration can be sum- 
marized as follows: 

1. The management structure for systems integration is cum- 
bersome but comprehensive and appears to work. 

2. We have been asked to review the system for technical 
conscience and we have found that the panels and working groups are 
an important element of it. These provide a forum L'or knowledgeable 
technical personnel to alert management to questions considered im- 
portant for crew safety and mission success. 

3. The staff of engineers in the systems engineering office 
may need to be increased. As noted, systems integration is being 
done by project engineers under the oversight of the systems engi- 
neering office. Because of the workload and the possible difference 
in perspective between the two disciplines, management regularly 
should review the staffing of the systems engineering office to assure 
that its capability is appropriate for its responsibilities. 

4. In terms of documentation it appears that most of the 
directives which describe the system have to do with responsibilities 
for monitoring and evaluating Shuttle progress rather than with 
specifying how the daily work gets done or how the daily integration 
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decisions are made. Fur the 1 , o.vv.a of the directives do not clearly 
define or describe responsibilities. Using SSPM Directive No. 45A 
as an example, it is not clear how the Systems Integration Manager 
works with the Systems Engineering Office, nor which instructs the 
"doer" organizations. 

5. The Program Office also has been working on a systems 
engineering plan to assure that delivered vehicles meet the total re- 
quirements for fl.ightworthiness and to specify the relative roles and 
responsibilities of the organizations involved in meeting these re- 
quirements. Such a plan helps insure both an efficient organization 
and that significant requirements are not lost sight of. Work on 
this plan has been delayed further. If the plan is not to be avail- 
able in a timely fashion then management will have to assure that the 
basic need that required such a document is met in another way. 

6. The Panel and the Hawkins Committee have emphasized the 
need for program management to continue to review the panels and work- 
ing groups, to assure that the system anticipates emerging program 
needs and does not lag them, and that individual groups are operating 
effectively. This year program management partially responded to this 
recommendation with a review which resulted in consolidation of some 
panels to reflect changing work requirements and the chartering of new 
ones Cor recently identified needs. 
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7. In monitoring such areas as integration of the main 
propulsion system, the Panel reviews the work of the groups involved. 

i 

In one such review the Panel found that the newly established Chief 
Engineer at MSEC for the Main Propulsion System was not a member of 
the integration panel (e.g., Systems Integration Review Panel) activ- 
ities at JSC. The Panel believes that he should have direct partici- 
pation and membership in the Systems Integration Review Panel activ- 
ities, as well as be a part of the approval cycle for Level II 
and III documents pertaining to his area of responsibility. 

The Panel has not yet completed consideration of other 
important system integration issues such as configuration management, 
interface control and interaction between Shuttle system elements. 

B. INDEPENDENT TECHNICAL ASSESSMENT 

The Panel also has reviewed the evolution of the independent 
assessment groups, giving particular attention to the evolution of 
the group at JSC. This group became operational at the first of the 
year and began detailed discussions with each of the critical sub- 
system managers . Based on these discussions, and their past experience, 
the group identified the areas where they would make detailed studies. 
The results of these studies were to be provided management in forms 
that appeared appropriate to the situation. In some cases the judg- 
ments were offered as informal advice to managers and engineers. In 
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other cases, the studies were written for senior program and center 
management's consideration. It is too early to assess how these 
groups will evolve or their effect on the program. Our thoughts 
at this time are: 

1. The technical assessment groups either can focus on 
identifying problems for program resolution or can take on the role 
of trouble shooter and work the resolution of the problem. Both 
roles are acceptable. However, the Panel favors the role of identi- 
fying problems so the assessment groups can cover more areas of the 
program. 

2. Studies of the program assessment group at SC indicate 
the value of such groups. For instance, they have made significant 
studies in such areas as contingency abort planning and possible 
Orbiter failure that would shut down the Main Engine. Given the po- 
tential workload for these groups, one of their real problems will 

be the establishment of priorities. The Panel suggests that priority 
be given to safety issues rather than non-safety issues that may 
seem more pressing. 

C. ABORT AND CONTINGENCY PLANNING 

The Panel reviewed abort and contingency planning from the 
perspective of system management because there needs to be a clearly 
identifiable system dedicated to this area. This would include the 
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integration of hazard assessments for various elements, so that the 
vulnerability of one ilement to the hazards of another is understood. 
Where practical the margin of safety should be enhanced, but whether 
the margin is sufficient is, of course, a matter of management judgment. 

The Panel seeks to assure that the pertinent facts are re- 
viewed at the right levels prior to such decisions. For example, the 
program carefully considered how the Orbiter could be protected against 
Shuttle system failures during the Solid Rocket Booster burn period. 

Both the abort systems that could be used in the advent of an SRB 
failure and experience with reliability of solid rocket systems were 
reviewed. The conclusion was to depend upon quality control on the 
SRB rather than an abort system with its complexity and potential 
failure modes. Also, ejection seats will be used during the early 
test flights to enhance crew escape in ease of aborts. Emphasis is 
on intact abort planning rather than contingency abort planning; in- 
tact abort requirements dictate hardware design requirements. Effects 
of a failure in a system or subsystem causing the loss of a critical 
function should be compensated for through appropriate safety margins 
or redundance. This allows design of the vehicle so that the Orbiter 
and its crew may return safely if such failures should actually occur. 
The rule on failure modes and hazards, other than critical ones, is 
that they shall be eliminated by design or by workaround only where 
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this is both feasible and cost effective. 


The Panel's review this year was comprehensive in order to 
define where we should focus our attention in the coming year. 

In reviewing the possible abort conditions, it appeared 
to the Panel that the following system reviews are in order since we 
want to make a determined effort to remove or minimize the risk of 
as many of these contingencies as possible. 

1. The explosion of a solid rocket booster, a main engine, 
the external tank, an orbit maneuver engine, or a reaction control 
system would, in all likelihood cause the loss of an orbiter. Thus, 
all possible measures must be taken to prevent such an occurrence 

or to provide warning so that such an explosion could be prevented » 

2. The failure of the solid rocket boosters or the external 
tank to separate constitutes a hazard that is difficult to evaluate. 
There is no program in the control system to handle the failure of 

the solids to separate even if they were finally ejected at the exter- 
nal tank ejection signal. The crew should know what to do in such 
a contingency or a program should be developed. 

3. In the early flights there will be no shuttle to perform 
rescue services, so effort should be made to minimize contingencies 
which might cause rescue to be needed. These include doors ( payload 
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bay doors, or umbilical door) which cannot be closed prior to re- 
entry or the failure of the external tank to separate • 

4. A thorough analysis of thrust vector controls has not 
been completed but it would appear that, with four computer channels 
for such control, there is little likelihood of one power plant (solid 
or liquid) going hard over by itself. The solids, if the system fails, 
go to a previously selected neutral position in order that control 

can be maintained. The main liquid engines do not "fail" into such 
a position and interference would exist with other "swinging" engines 
if such a neutral position were held. Since the four computer channels 
appear to be adequate for thrust vector control safety, it is suggested 
that input and output devices and the mechanisms for moving the engines 
be reviewed to be doubly assured that no "hard-overs" can exist in- 
advertently. 

5. It would appear that two APU failures in the orbiter 
would make a reentry and a normal landing extremely marginal. Due 
to the long storage time on orbit, it can be argued that two APU 
failures on any given flight might be statistically conceivable. 

Thus the adequacy of test and APU system design should be reviewed. 

6. Loss of pressure in the cabin appears to be a singular 
and important hazard. There are two cabin air supply systems and three 
fuel cells which provide cabin air pressure and conditioning. The system 
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must operate for the entire mission and total failure would be fatal. 

It is suggested that a concentrated review take place, seeking once 
again, the strong confirmation that this is a remote enough risk to 
take. A third air supply system might be feasible, and valuable. 

7. There are several essential systems characterized by hav- 
ing "3 engine" safety - the control system, the APU system on the Orbiter, 
and the reaction control system. Since the loss of any of these total 
systems would incapacitate the Orbiter, constant reevaluation is in 
order. The common tankage for the RCS should be reassessed and par- 
ticular attention should be paid to the APU's since the Orbiter would 

not be able to return on one APU unless initial conditions were perfect. 

8. The decisions regarding launch "destruct" have been 

made for OFT. The decisions for operational flights: whether destruct 

is needed, what it needs to destroy, who is in charge of specifying 
its characteristics and actually commanding destruct are still to be 
confirmed. Inherent in any such system where pilot escapa is planned 
is the problem of how to warn the pilot so that some escape may be 
initiated. 

In this coming year the Panel will review the management 
system as it operates in working each of these eight points and the 
conclusions so far. We, of course, will also try to make suggestions 
that would raduce each risk that did not seem to be sufficiently 
controlled. 
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Finally, the "twin engine" characteristics of the cabin 
pressure system and the consequence of sequential failures of the 
orbiter APU's should receive priority attention. In addition a 
thorough search of the logic of how the computer based thrust vector 
control protects against hard-overs that are not commanded needs to 
be made but currently the Panel does not have that degree of tech- 
nical software expertise to serve the Panel. A similar detail review 
should be made of the crossover capability which exists on the con- 
trol system to maintain hydraulic pressure in the event of APU failure 
with specific focus on the adequacy of maintaining’ hydraulic pressure 
in the main engine control valve system. If an APU shuts down there 
will be an automatic shutdown of that engine being served. 

D. RESPONSE TO PRIOR RECOMMENDATIONS 

The Panel has reviewed program response to other recommen- 
dations, including those of the Hawkins Committee. The Pt iel's ob- 
servations are: 

1. The authority for decision to accept these recommen- 
dations properly resides with program management, who hav esponsi- 
bility and accountability for the program. 

2. Program Management gave the recommendations careful 
consideration. As can be expected there are some differences in judg- 
ment between program management and the advisory groups. Management 
is trying to meet the intent of the majority of recommendations. 
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III. RECOMMENDATION!) 


A. Comprehensive review of integrating groups’ operations 
should be conducted regularly to insure responsiveness to program 
needs. 

B. The Chief Engineer for the Main Propulsion System should 
be a member of the Systems Integration Review Panel. 

C. Individuals at the systems integration level at JSC and 
at Rockwell's Space Division should be given appropriate management 
responsibility, authority and resources for contingency analysis and 
planning. 

D. Analysis and evaluation of the vehicle capability for off- 
design cases should be done now, rather than later when any necessary 
changes would be prohibitively costly. Staffing needed for this 
effort should be provided. 

E. Since the program has decided to depend upon reliability 
Oj, the SRB as the major safeguard against failure, the management 
system should have an integrated plan to assure there are appropriate 
quality controls during the life cycle of the SRB, i.e., manufactur- 
ing, checkout and reuse. 

F. Since there is a potential for hazards to the SRB from the 
aerodynamic environment or failure modes elsewhere in the vehicle, 

a hazard assessment report on this area should be prepared for 
management. 
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Dr, Seymour C. Himmel 
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3.0 SHUTTLE MAIN ENGINE 


I. BACKGROUND 

Task team activities were concentrated on the specific concerns 
identified by the Panel during previous reviews and those resulting 
from NASA in-house meetings and the Hawkins Comn.utee efforts. The 
areas singled out for examination included: 

A. New and still to be proven technology. 

B. Design conservatism to meet requirements for engine reuse. 

C. Adequacy of the Electronic Controller, including its ability 
to operate reliably in the engine environment. 

D. Engine control capability and the results of credible failures. 

E. The test program and its adequacy for achieving the engine 
program objectives. 

F. The Engine and its integration into the total Shuttle system. 
This interim report provides a "snapshot” of the program as viewed 

by the Panel and, where appropriate, assessments, recommendations, and 
future plans for further reviews of the Space Shuttle Main Engine. 

The Panel has had this critical Shuttle area under review on a 
fairly continuous basis over the past two years, as shown in Table 1. 
Attention has been focused on: status of design, test and fabrica- 

tion development; current and projected problems; dominant uncertainties 
in the design and expected performance; and technical and managerial 
resolution of program problems and uncertainties, including trade-off 
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studies. The sensitivity of the engine hardware/software development 
to cos'* and schedule influences is a part of the review process. 

Pertinent background is found in the Space Shuttle Program's re- 
sponse to the Panel’s 1975 Annual Report. Those responses relating 
directly to the SSME are provided in Appendix A. These comments were 
provided to the Panel in October 1975. 

In the coming months, the task team will continue to monitor and 
examine the engine and component test programs and the Controller and 
its software at both contractor and NASA locations. Members of the 
Panel and task team will continue to attend in-house meetings and 
reviews. 

II. OBSERVATIONS 

A. Management 

There have been a number of organizational changes at Rocket 
dyne Division of the Rockwell International Corporation with the ob- 
jective of strengthening their in-house efforts as well as to better 
meet the current program needs. Among the more important changes were 
the establishment of an Associate Program Manager for the Controller 
and the strengthening of engineering activities, particularly those 
in support of the manufacturing effort. 

The review process and system integration activities are 
derivatives of those developed for the NASA Saturn engine programs. 
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Prom the material provided to the Panel , it appears that both the for- 
mal and informal channels are operating well and the information flow 
to those charged with the decision-making process appears adequate. 

A number of working- level panels and groups have been established to 
meet special needs of the Shuttle program and the Main Engine in par- 
ticular. These include: 

1. "Space Shuttle Integration Reviews," Program Directive 
14A, which provides technical inputs necessary to establish and main- 
tain system specifications and to verify design compatibility of the 
integrated vehicle. 

2. "Space Shuttle Integrated Propulsion and Fluids Technical 
Management Area," Program Directive 24, provides for technical manage- 
ment and for a "Main Propulsion System Panel." 

3. "Space Shuttle Ascent Flight Systems Integration Group," 
Program Directive 57, which supports the Systems Integration Review (SIR) 
particularly in the ascent phase '-'hen the. engines are utilized. 

B. Technical 

The more recent major reviews of the program include "SSME 
Design Margin Review," in July 1975 and MSFC's Quarterly Reviews 
of January 1976 and April 1976. The results of these review efforts 
are included in the following sections of this report. The SSME 
Critical Design Review currently is scheduled for the September - October 
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1976 time frame. 


The SSME Design Margin Review was the culmination of an 
extensive long-term review initiated in the fall of 1974, It pro- 
vided a much needed in-depth review of such items as the design cri- 
teria, load calculations, assumptions used, methods of analysis, 
analytical results and their meaning, concepts for increasing margins, 
and flight constraints. It produced, as expected, a number of action 
items and recommendations. Typical of these were: (1) review methods 

that can be used to identify incipient failures and devise a compatible 
resolution; (2) use maximum throttling ramp rate; (3) limit thrust for 
early flights to Rated Power Level; (4) continue to obtain materials 
properties; and (5) increase hardware confidence by conducting tests 
at higher pressures and temperature levels with added instrumentation. 
All of these items are either under active consideration or in-work. 

The Engine Controller posture at this time appears to be en- 
couraging. Functional testing of the rack mounted BT-1 unit operating 
with the Integrated System Test Bed engine firings, and environmental 
testing of the structural thermal engineering model (SM-1), and the 
Production Prototype unit (PP-1) indicate that, with the resolution 
of some design problems, Che flight configuration controllers should 
meet system requirements. This will require a continued, determined, 
effort on the part of NASA, Rocketdyne and Honeywell (the Controller 
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contractor). Most of the problems that surfaced during the test 
program to date have been resolved or are in the process of being 
resolved. These include, for example, memory system noise, cracked 
solder joints, minor circuit design problems, manufacturing problems, 
and electromagnetic interference (EMI) emanating from the power 
supply. A major problem was the breaking during vibration testing 
of wires that had been "stitch welded" on the Master Interconnect 
Board. A concerted effort by NASA and contractors resulted in a 
decision to examine a parallel design/development activity to em- 
ploy Multilayer Boards which would eliminate the wires and thus 
wire breakage. The Multilayer Board change, if used, would be applied 
to the P-4 controller and subsequent units depending upon funding 
constraints . 

Because the Controller is attached directly to the upper en- 
gine structure, the severity of the vibration environment has required 
the design and installation of a vibration isolater (shock-mount) 
system. This work is progressing rapidly now and appears to provide 
the necessary attenuation as evidenced by the test results with an 
early mount design. These results of tests with this early isolator 
design indicated proper Controller operation after vibration testing 
at 22.5 g in each of 3 axes for 30 minutes per axis. Using a revised 
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design mount (isolator) the PP-2 Controller unit has been subjected 
to test inputs of 22.5 g's for 7.5 hours in each of the three axes. 

Although anomalies did crop up they do not appear to be major in that 
redesign is not required, but that assembly and drawing compatibility 
may require further attention. After completion of this test series 
additional hours were run at the 22.5 g level to reconfirm the overall 
acceptability of the current design. These appear to have been successful. 

The Controller software programs have progressed a great deal 
over the past year, but much is yet to be done. Software has been in 
operation on the ISTB program and under laboratory tests. It is planned 
to have the software delivered during 1976 with operational updates 
made in 1977. It is noteworthy that the Controller system (the combi- 
nation of software and hardware) has to date been able to shut down 
the engine safely under normal and abnormal testing circumstances. 

The SSME top priority items receiving major Roclcetdyne manage- 
ment attention at this time are: 

1. High Pressure Fuel Tuvbopump Subsynchronous Whirl 

2. High Pressure Oxygen Turbopump Performance 

3. The 77.5:1 Nozzle Fabrication 

4. Hot Gas Manifold Liner Excess Pressure Differential 

5. Test Program 

Briefly, the status of these items is: 
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1. The High Pressure Fuel Turbo Pump axial thrust balance 
system appears to be resolved. Modifications have been incorported 
that have balanced the system up to 85% RPL to date. In addition, 
the rotor is exhibiting subsynchronous whirl. These matters are 
under active attack by the Project. 

2. The High Pressure Oxygen Turbo Pump performance exhibited 
performance (head rise) 20 percent lower than predicted. A design change 
in the impeller has been implemented that should overcome this deficiency. 

3. The full scale engine, nozzle, expansion ratio of 77.5:1, 
has encountered numerous fabrication difficulties caused by material 
distortion in the welding process. Changes have been made in the de- 
sign and the welding procedures that appear to provide a solution to 
this problem, albeit at a projected increase in weight. Two redesigned 
nozzT.es have been through a braze cycle and appears to have been success- 
ful. Hot fire testing of nozzle #1 is scheduled for August 1976. It 
appears that some further changes may be necessary since flight nozzle 
jackets #3 and # 4 exDerienced buckling. 

4. The hot gas manifold coolant liner is the oxygen turbo 
pump side of the hot gas manifold was found to have buckled as a result 
of excessive pressure differential. It would appear that this had 
occurred during the last high-power ISTB run. This problem occurred 

as a result of contamination on the backside of the injector causing 
an excessive pressure drop across the hot gas manifold liner. Additional 
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holes were drilled in the primary faceplate of the injector to reduce resistance 0 

The test program is still in its early stages both at the 
component and engine system level. Notable progress has been made 
with all components with the exception of the full scale nozzle having 
been operated to at least minimum power level and at least hal f having 
reached rated power level conditions. The durations at higher power 
levels have been, generally, short but do represent progress. 

A serious incident occurred at the COCA 1A Test Site on 
February 4, 1976, during which the oxidizer turbomachinery subsystem 
under test suffered substantial damage and significant damage was done 
to the test stand and its facility equipment. Conclusions of the in- 
cident investigation indicated that a facility oxygen flowmeter failed, 
resulting in elements thereof breaking loose, moving downstream, and 
impacting the seat of the facility LOX discharge throttle valve, caus- 
ing ignition and burning. The resulting pressure rise fed back to the 
turbomachinery under test and initiated cutoff. Before this could be 
effected, however, the changes in machinery operating point, resulting 
from the facility failure, caused the high pressure pump to cavitate, 
lose balance piston function and fail. 

This incident triggered a review of test facility design, con- 
figuration, hardware, etc., throughout the engine program. The results 
of these studies and the experience gained will be transmitted to other 
Rockwell divisions and NASA. Corrective action has been initiated 
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and it is anticipated that testing at COCA 1 will be resumed in 
June. The impact of this incident is a test schedule slip of some ten 
weeks. 

The principal objective of the March 1976 review meeting 
with Rocketdyne was to discuss the engine test program rationale and 
philosophy. The program is very well documented in a ’’document tree” 
that has at its apex the engine Program Development Plan and provides 
a comprehensive picture of the test program. It covers both develop- 
ment and certification test plans culminating with the Final Flight 
Certification of the engine* 

The testing is governed by Design Verification Specifics t xOns 
that provide details of test requirements and objectives and cross- 
references, as to the source, eacn requirement and what constitutes 
verification. The system also includes a ’’constraint map” called 
Bench Mark Control Points that establishes requirements for successful 
lower level test completion prior to initiating tests at higher assembly 
levels. 

All told, the test program is well documented and contains 
built-in feedback management control mechanisms to insure that con- 
aints are not violated. The documents are evidence that much 
effort was expended in planning the program and that it is a tightly 
integrated and austere effort. If the documentation is to be faulted 
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at all, it would be that the rationale for the decisions/criteria 
reflected in the program documents is not apparent therein. This will 
require further discussions between Panel members and the design groups 
involved. 

III. ASSESSMENT AND RECOMMENDATIONS 

The reviews and observations of the task team led to the follow- 
ing current assessment of the engine program: 

A. The program is in its early testing stage and is experiencing 
the sorts of development problems that were not uncommon in previous 
engine programs at this stage of the program. The engine is, of course, 
a venture into a new area of technology and without the benefit of 
experience it is difficult to predict where all the pitfalls may be. 
However, they may be expected to lie in the area of how to design rocket 
engines for "long" life. 

B. Most of the components are exhibiting performance near pre- 
dicted values. The key elements that will be investigated this com- 
ing year are stability and durability of the components and higher 
assemblies . 

C. The test program as currently planned will accumulate about 
56 hours of engine testing at FFC (Final Flight Certification). This 
is about the same test time accumulated on the F-l and J-2 programs 

at a comparable point, but these programs had about ten times the test 
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hardware available. When pressed, and with the benefit of retro- 
spective visual acuity, the Rocketdyne people will acknowledge that 
they could probably have gotten along with one-half the hardware in 
the earlier programs. This still leaves a disparity of a factor 
of five in available test hardware for the present program. This 
decision was made knowingly, the belief being that the more thorough 
planning, drawing and design control, etc., of the current program 
would obviate the need for more test hardware. It is important to 
note that the die is cast, the lead time for added test hardware is 
such that if it were ordered today it would probably not become avail- 
able soon enough to help overcome problems an^ maintain the current 
schedule. 
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PANEL ACTIVITIES RELATED TO THE SSME PROJECT 
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* Major reviews were conducted during these sessions,. 



APPENDIX A ; RESPONSE TO PANEL'S ANNUAL REPORT 


STATEMENT 

The major challenges of significance for crev safety on the Space 
Shuttle Main Engine are materials behavior under severe environments, 
weld integrity, PGGO suppression, and engine controller performance 
and reliability. Therefore, the results of the test program will bo 
critical to developing confidence in these areas. 

RESPONSE 

SSME Materials Behavior Under Severe Environments 

(a) An extensive analysis and test program is well under way. 

The fracture mechanics test program has been expanded to include more 
materials and components. Fracture mechanics analyses include load 
cycling and environmental conditions, alloy/condition combinations, 
weld combinations, and the effects of coatings and weld overlays. 

These analyses will be verified by the test program. Minimum detect- 
able flaw sizes will be established by nondestructive methods. In 
addition, an assessment of the structural margins in the SSME with 
regard to structural, weight, and performance requirements was con- 
ducted by a high level team composed of members from JSC and MSFC. 

All 117 components reviewed meet the engine safety factor requirement 
of 1.4 at full power level, and 88 of these meet a 1.5 safety factor 
at full power level. 
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SSME Weld Integrity 


(b) Fabrication of the first engine and supporting components 
revealed areas requiring improvements in weld integrity. Extensive 
action has been taken in the area of weld analysis, redesign of some 
weld joints, converting from manual to automatic welding, evaluating 
of process parameters, upgrading/increasing staff, upgrading equip- 
ment and improvements in inspection anc quality control procedures 
to assure good welds. 

POGO Suppression 

(c) A continuing analytical program is under way and being pursued 
to understand the POGO phenomenon and its implications to the SSME by 
NASA field centers and their contractors. A POGO integration panel, 
chaired by Dr. Harold Doiron of JSC, has been in operation since 

June 1973, to continually review analytical and test data. The POGO 
suppressor has been baselined and a comprehensive test program on 
individual component parts is already under way. Engine tests will 
verify the POGO suppressor system. Extensive use has been made of 
Saturn data in designing the test program. 

Engine Controller Performance and Reliability 

(d) High priority by top management at Honeywell, Rocketdyne, 

MSFC, and Headquarters is being applied in this area. Because of 
current problems with the controller interconnect system (inboard 
master interconnect system) and the fact that it is difficult to 
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manufacture and reproduce, two studies have been initiated on an 
interconnect redesign effort as a product improvement. Furthermore, 
we are proceeding to mount the controller on isolators (shock-mounts) 
which significantly reduce all vibration energy into the controller 
at frequencies above 100 Hertz. In addition, RTV potting and foam 
have been added to the inboard master interconnect board to reduce 
wire stress concentration and dampen the wires dynamics. It should 
be noted that the wire breakage problem we have encountered has been 
associated with the inboard half of the controller interconnect system, 
and not the memory plated wire. 
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4.0 ORBITER THERMAL PROTECTION SYSTEM 


Dr. William A. Mrazek 
Mr. Howard K. Nason 
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4.0 ORBITER THERMAL PROTECTION SYSTEM 


I. BACKGROUND 

During 1975 and the first half of 1976 the Panel and the Orbiter 
Thermal Protection System (TPS) task team conducted detailed fact- 
finding sessions at JSC, Rockwell Space Division, and Lockheed, Sunny- 
vale. During this period, special attention was paid to the following 
areas : 

A. Current requirements which dictate the type and coverage 
provided by the Reusable Surface Insulation (RSI) , and the Leading 
Edge Structural Subsystem (LESS). 

B. Tile materials and coatings. 

C. RSI and LESS installation and maintenance, with emphasis on 
protecting doors and protuberances, and on sealing of aerodynamic 
control surface openings. 

Our most recent meeting with those personnel responsible for the 
management and integration of the Orbiter TPS was on May 24, 1976 at 
JSC. Because of the interactions between the Orbiter TPS and other 
Shuttle elements it has come under review by other task teams to vary- 
ing degrees, e.g. , Ground Test and Flight Test task teams, Risk Manage 
ment task team, etc. , resulting in supportive efforts. 

The following Orbiter TPS development milestones are noted in 
order to place the current state of the TPS in perspective. 

A. TPS Design Review was conducted August 1975. 



B. TPS Delta Preliminary Design Review was completed May 1976. 

C. TPS Critical Design Review is scheduled for May 1977* 

D. Certification for the first manned orbital flight test is 
scheduled for the first quarter of 1979, 

II. OBSERVATIONS 

Requirements for the design, fabrication and maintenance of the 
Orbiter TPS components have been firmed-up to the extent that basic 
materials have been selected, the TPS ’’design to” baseline for OFT #1 
has been defined to assure a safe first mission, TPS failure effects 
have been explored, installation methodology is evolving, and develop- 
ment tests are supporting all of these efforts. An interesting example 
of RSI requirements are those for mission life for HRSI, LRSI and 
FRSI as noted below: 

A. High Temperature Reusable Surface Insulation (HRSI) 

100 missions for ’’acreage” tiles with maximum temp ^ 23P0°F 

1 or more missions for elevon and nose tiles, temp = 230w° to 2501. °F 

1 mission for the body flap tiles, temp = 2500° to 2800°F 

B. Low Temperature Reusable Surface Insulation (LRSI) 

100 missions for all tiles with maximum temperature ^ 1200°F 

C. Flexible Reusable Surface Insulation (FRSI) 

100 missions with maximum temperature under 700°F during entry 

30 or more missions with maximum temperature under 750° F on entry, 
830° F on ascent and over temperature capability on a single 
mission to 900° F. 
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Updating and refining of aerothermodynamic analyses has resulted 
in heating predictions which relax the requirements (heat loads and 
temperatures along with times of application) in some areas while 
tightening them slightly in others. The net effect is the increase 
in the area which can be covered with the FRSI (coated Nomex felt), 
and a decrease in overall TPS weight. 

Substantial progress has been made in tile moisture proofing, 
coating, bonding and installation. The method for depositing the 
moisture prevention material has been changed to vapor deposition 
thus expanding the kinds of materials that can be considered, A 
new polymer, vapor deposited, has been sufficiently tested that its 
timely full qualification can be expected. The unexplained cracking 
of the Lockheed 0050 coating has resalted in its being replaced on 
the HRSI by the Ames Research Center (NASA) RCG coating. Lockheed 
0050 coating still is to be used on the LRSI tiles. After early pro- 
blems with the manufacture and storage of the basic glass for tile 
production, Johns Mansville has now produced material that appears to 
be satisfactory, with a substantial reduction in voids and inclusions. 
It is emphasized that this is not a hazard or safety problem, but a 
problem of producing smooth surface tile which affects bonding and 
installation time, A method has been evolved by Rockwell's Space 
Division to provide computer-based contours to Lockheed, which are used 
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to machine the external (exposed) faces of the tiles. In addition, 
a system of grouping tiles in an assembly fixture has been worked out 
so that the entire cluster can be machined to proper contours as a unit. 
The same fixture is used to transport the tile and to hole it in arrays 
for attaching to the Orbiter skin. Finally, the assembly system in- 
cludes the masking of one row in the fixture so that this row is not 
glued to the surface. It is removed to provide edge room for the 
adjacent fixture and the retained tiles are then inserted and fixed 
to the surface after the arrays are installed. An improved system 
for bonding the tiles to the Strain Isolator Pads (SIP) and then to 
the Orbiter skin should be verified by September 1976. 

Orbiter penetrations, doors and dynamic seal areas continue to 
receive a great deal of attention. Such locations include: payload 

bay doors, vent doors, main and nose landing gear doors, LESS to RSI 
interfaces, wing/elevon, aft fuselage/body flap, and rudder/speed 
brake gap areas. In resolving the problems associated with these dynamic 
areas, a "brush" type seal using silica fibers was tried and has been 
found unacceptable and alternate designs are being investigated. The nose 
gear door has been redesigned to eliminate some problems experienced 
with sticking due to thermal sealing. 

III. ASSESSMENTS AND RECOMMENDATIONS 

At fhe present time, a number of previously nagging issues have 
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been resolved yet a good number remain. These are caused in part by 
the technical problems and in part by the schedule-budget tradeoffs 
that have had to be made. 

A. Current experience with the RSI shows that is has low re- 
sistance to ground handling damage, but a good capability to sustain 
damage without catastrophic failure during induced environmental 
exposure,. The RSI installation is cost-schedule sensitive with respect 
to (1) tile gap and step criteria, (2) tile geometry, and (3) instal- 
lation techniques. 

B. The tile material itself appears to be satisfactory from the 
standpoint of production and processing. However, the program to 
fully characterize structural capabilities has been delayed. This 
can result in the delivery and installation of tiles on the Orbiter 
before full confirmation of its adequacy. The risk appears to be 
acceptable from a safety standpoint as long as the data for confir- 
mation are obtained before first flight. 

C. Concerns associated with the LESS include the ability to 
maintain required gaps and steps between the Reinforced Carbon-Carbon 
material (RCC) segments and the interfacing HRSI tiles (concern about 
early tripping of boundary layer). Additional concerns include mission 
life capability, and cracks on the nose cap shell observed during 
development testing. 
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D. The ability to adequately protect vehicle openings from the 
high energy plasma during entry has yet to be proven. This appears 
to be receiving adequate attention, but may require some redesign 
effort, prior to the first OFT, which is not contemplated at this 
time. This may also serve to expand the current Development Flight 
Instrumentation requirements. 

E. The first orbital flight test mission, OFT #1, is to use 
trajectory shaping to minimize the total heat load and structural 
bonding layer temperature, and at the same time to accommodate tra- 
jectory dispersions, early boundary layer transition and the uncer- 
tainties associated with the TPS predicted performance. This should 
assure first mission safety. 
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5.0 AVIONICS MANAGEMENT 


Mr. Herbert E. Grier 
Hon. Willis M. Hawkins 
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5.0 SHUTTLE AVIONICS SYSTEM 


I. BACKGROUND 

The Avionics System for the Shuttle is the combination hardware/soft- 
ware system which controls and directs the Shuttle flight. Through its 
sensors, computers, and interface units it coordinates and implements 
all functions of the flight except for the specific control of the 
engine which is done by a separate computer system built onto the en- 
gine. The computers of the Avionics system are the nerve center of 
the Shuttle, and hence must function for the flight to be performed. 
Appropriate redundancy is built into the system and provision has been 
made for manual as well as automatic input. The matter of redundancy 
is not simple, in that the software system itself is a single point 
failure item except in part for the backup guidance program. This 
fact is the driver that makes the verification and testing of the 
software so important in order that the postulated redundancy will 
be realised. 

Because of the criticality of the Avionics System and the inherent 
challenges in managing this area, the task team meets frequently with 
the various organizations at the Johnson Space Center and the hard- 
ware and software contractors. In addition the team meets with the 
technical assessment group at JSC and the Chief Engineer to discuss 
their reviews of this area. Inspection trips are made to both 
ADL and SDL integration laboratories. 



II. OBSERVATIONS 


The current state of the system is that the hardware has been 
designed and procured. Equipment is coming in and is being de-bugged 
and operated in the ADL and SAIL laboratories both at Rockwell and 
at Johnson Space Center. There are hardware and system problems that 
are being worked diligently and that should be monitored, (e.g., the 
limitation on Avionics cooling), but the quality of the hardware seems 
to be very good in light of the stage of the program. 

With the hardware in the stage it is in, emphasis has gone to 
the integration of the various elements and the requirements for 
their proper operation which, in total, constitute the specification 
for the software system. There has been an initial design of a soft- 
ware system, but as specific component data become available and 
mission requirements become more firm, variations or new input must 
be expected in the software system. These variations are the basis 
of our concern with the Avionics System. 

The computer system in the Shuttle is complicated, and verifi- 
cation of the software is difficult to quantify. In fact, the con- 
fidence in software verification is directly proportional to the time 
spent in such verification; that is, the thoroughness and extent of 
the verification procedures. In general, one is not confident to say 
that a software system is reliable unless it has been extensively used. 
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The criticality of the software system and the difficulty of quanti- 
fying its verification make it mandatory to have an independent assess- 
ment of the software. Current proposals are to program the testing 
at ADL and in SAIL so as to perform a complete, independent check of 
the software. This is a good plan and it must be implemented in a 
timely manner, and then changes must be rigorously controlled. 

The major problem with the Avionics software system is two- fold. 
First, the tendency of hardware people to solve anomalies in their 
hardware by changes in the software; and, second, the better definition 
of the specificationo for mission operations which results in a greater 
software requirement than was initially contemplated for the system. 
Both of these factors, and particularly late timing, affect the degree 
of confidence that one has in the formal verification. It is imper- 
ative that the computer groups have sufficient time for the software 
verification, and the simulation laboratories have time to check as 
deadlines approach. ^Jhile the first orbital flight is some time away, 
the ALT flights are almost upon us. The organizational structure to 
police and drive this program is not readily apparent. 

In the course of our discussions several factors became obvious. 

The first was that the NASA management system is geared to establish 
communications and coordinate the activities of a number of entities 
at different locations. However, it does not adequately identify a 
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specific Avionics responsibility. This system, through its various 
reviews and panels does, in fact, successfully accomplish a major 
task of integration, but it is ponderous and time consuming when it 
must respond to specific, immediate problems in real time. The people 
in the total system are for the most part very experienced, and an 
informal system of coping with the real time technical problems has 
grown up. This system is absolutely vital in that it rings the bells 
to alert the formal system and supplies the input necessary for the 
more formal deliberations. This informal system should by no means 
replace the formal system, but it should be recognized, directed and 
integrated if the overall structure is to be optimized. From an 
academic point of view an informal system, with its undefined re- 
sponsibilities, can sometimes result in balls being dropped, partic- 
ularly with inexperienced people. We must hasten to say that we feel 
because of the quality of the personnel the present system is working 
well. It could perhaps be better defined. We feel that program 
management recognizes this, that the recent strengthening of the 
Avionics integration activity will help and that the recognition by 
the technical assessment group of the importance of the Avionics prob- 
lem is a good sign. In discussions with the technical people it is 
quite clear that the integration laboratories (ADL and SAIL), where- 
in hardware is operated in systems of varying configurations, are 
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very useful tools. These laboratories provide a real communication 
channel between all the elements involved in the particular system 
or subsystem being tested. The joint experience gained here is essen- 
tial in establishing confidence in the Avionics system and is abso- 
lutely necessary as an independent check on the computer software veri- 
fication. 

The whole matter of computer programming and verification is per- 
haps the element of the system most difficult to assess. The nature 
of the system and of the current stage of the program inhibits the 
development of firm computer program requirements. As more simulation 
experience is generated, for instance, the detailed requirements of 
manned versus automatic flight undoubtedly will change, resulting in 
program changes. In addition, the ALT flights will certainly produce 
data which will require modifications to the programs. As these modi- 
fications or new requirements are defined, a continuing effort must 
be established to police the overall computer program. There is a 
limit, and there are indications that requirements may exceed the 
computer capacity. The response to such a situation must not reduce 
the redundancy built into the computer system. 

Verification of a computer program is a subjective and iterative 
process and it is not easy to assign a confidence number in the same 
sense that one does with hardware. It is particularly difficult for 


57 


the panel to achieve an assessment in this field. It would be help- 
ful if a single individual were placed in charge. 

III. ASSESSMENT AND RECOMMENDATIONS 

The conclusion of reviews to date is that the hardware in the 
Avionics system is in reasonable shape and that it will perform prop- 
erly. The software system is currently in a state of flux and is now 
being given attention, in an effort to scrub down or assign priorities 
to the requirements and to examine opportunities for simplification. 

We feel a centralization of control of the software in the program 
would be beneficial. It is quite clear that because of the reduced 
requirements on the system for the ALT tests, the load on the computer 
system is eased. However, confidence in the adequacy of the software, 
even for this simpler flight program, has still not developed and the 
Panel must monitor the software program assiduously between the present 
time and the ALT test. 

One conclusion is positive. The Shuttle team, on both the con- 
tractor and government side, is composed of experienced, competent 
people. This fact establishes confidence in the overall program, and 
assures us that given enough time any contingency can be dealt with 
properly. 

Our recommence t ions are: 

A. A competent, knowledgeable person should be assigned at the 
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Program Office level to perform the function of Chief Engineer-Avionics. 
This may well be the recently appointed Manager, Orbiter Avionics Systems, 
if he has the central responsibility for the software and the system 
that it knits together. 

B. The program of testing and simulation of the Avioncis system 
should be given a high priority as it forms an independent verification 
of the software. An additional important benefit of such testing is 
that it involves a great number of subsystem designers and will form 

a valuable, real-time communication link in the technical management 
and integration system. 

C. The technical assessment group should establish an appro- 
priate effort to quantify and assess the degree of confidence one can 
assign to the planned software verification. In our opinion this 
group should be supplemented by outside experts in the software systems 
verification field. 

D. The recent emphasis on the responsibility of the Avionics 
Integration Office was a move in the right direction and, if appro- 
priate, further efforts should be made to more clearly define specific 
software responsibilities. 

E. Future actions of the Panel should be limited to monitoring 
progress of the system so as to judge the state of readiness prior 

to ALT and the first orbital flight. Should the Panel be expected 
to assess in detail the software verification, it will need to be 
supported by an expert in that specific field. 
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RISK MANAGEMENT 


6.0 


. Charles D. Harrington 
. Herbert E. Grier 
. Willis M. Hawkins 
Mr. Lee R. Scherer 


6*0 RISK ASSESSMENT 


I. BACKGROUND 

A task team has been formed to review the risk management system 
and its handling of specific challenges. The task team obtained its 
information by meetings at JSC and the principal contractor with both 
managers and the specialists working for them* These meetings were 
held in September and November 1975, and February and May 1976* Num- 
erous written reports also were provided to substantiate decisions and 
to demonstrate the procedures used to assure that safety problems are 
evaluated adequately. 

II. OBSERVATIONS 

Tne areas reviewed included the management system for application 
of lessons learned from prior programs to Shuttle and the specific 
cases of the controlled use of teflon insulation, of 26 gauge electri- 
cal wiring and of threaded fasteners. The Panel also reviewed the 
approach to crew and range safety* Finally, we reviewed the approach 
to assessing and controlling the aggregate or toal risk on the program. 

A. Lessons Learned 

The subject of lessons learned is a complicated one. Ob- 
viously, a lesson must first be identified as such and there must be 
agreement as to the proper steps to avoid further occurrence. Once 
these two steps are properly taken it appears that adequate procedures 
exist to track the correct application. 
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Retention methods are: 


a. JSCM 8080 - Standards and Criteria 

These are imposed when applicable on subcontractors. 

b. AFSC Handbook DH-1-6 

This contains checklists and safety techniques 
and is used by JSC safety division for check- 
list inputs. 

c. Various JSC Experience Retention Documents 
Examples are: 

84 Apollo experience retention reports 
JSC 09096 Lessons Learned Skylab 
JSC 0134 B Space Flight Hazards 
JSC 02681 Non Metallic Materials 
JSC 08980 Field Experience Data 
Mission Assessments (Safety), Apollo 7 
through ASTP 

In addition a lessons learned document has been prepared 
which states whether the lesson is applicable to Shuttle and how it 
is to be dispositioned. This document should be continuously updated 
and safety reviews of Shuttle compared with it. As of June 10th, 1975, 
the document showed 476 lessons applicable. The question of the proper 
steps to take to avoid further occurrence is a much more difficult 
one. For example, the question of man- in- the- loop versus full auto- 
mation appears to be subject to fine tuning decisions, with some 
differences of opinion still existing. 
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B. Use of Teflon 


The use of Teflon is being carefully tracked. It is felt 
to be the safest insulation material available (where the requirements 
suggest its use) as long as it is not exposed to temperatures high 
enough to cause decomposition. There appears, therefore, to be little 
effort to restrict its use where it is otherwise advantageous. A 
possible exception is the use inside the oxygen tank of the External 
Tank. This was originally felt to be safe since only instrument signal 
current is carried by these wires. However, at the time of the task- 
team meeting on February 9, 1976, consideration was being given to re- 
placing this section with stainless steel coated, ceramic insulated 
wiring (as was done in the Apollo oxygen tanks) despite the appreciable 
weight penalty. Since then the possible acceptability of TFE plastic 
is being investigated. This reconsideration is occasioned by updated 
thermal analyses which showed that high temperatures (500°F) may be 
encountered in use. This item had been closed out in the December 10, 
1975, Major Safety Concerns Document (JSC 09990) based upon engineering 
data and, when appropriate, initiation of new or more extensive engineer- 
ing analyses. It also illustrates the necessity to maintain a vigilance 
over revised data and the effect on closed hazards. In this instance, 
the review system worked when the hazard was reopened. 

The cold flow characteristics of Teflon are said not to 
cause any problems for Shuttle applications. This issue arose during 
Apollo fabrication days because of a bad batch of Teflon which was 
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not typical of good quality material. Since then, acceptance tests 
have been introduced to apply to each new batch of Teflon to assure 
that no material will be accepted and used in Shuttle which may be 
deficient in cold flow characteristics. As a result this will no 
longer be considered a limitation on the places where Teflon may be 
used. In addition there are firm controls and requirements (Rockwell 
Space Division Specification ML-0303-0029A and ML-0303-0013 , and 
Martin Specification STP 6506) which relate to minimum bend radius, 
clamping force, sharp edges, wire bundle sleeves for protection, 
harness routing, etc. Rigorous inspection verifies this. Thin walled 
Teflon has a protective top coat of polyimide resin which restricts 
cold flow. 

C. The Use of Small Gauge Copper Wire 

Because of the problem on Apollo with breakage of 26 AWG 
copper wire the use of this has been largely eliminated, replacing it 
with 22AWG or heavier. However, in an appreciable percentage of the 
total footage (r7.-8%) it has been found impracticalbe to use wire this 
large and stiff. Where 26AWG wire has been used it has been made of 
an alloy of copper having considerably higher tensile strength. It 
has also been bundled together so that no individual strands can be 
flexed and broken. OV 101 is being built in this manner. The Panel 
feels that this problem has been handled properly. 
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It should be noted that there are many manufacturers* items 


such as instruments and black boxes which may contain much finer 
wires. However, these are firmly attached and protected and are not 
subject to flexing or other mishandling during installation or use. 

The Panel is satisfied that the design is proper. 

D. The Controls on Threaded Fasteners 

The Panel found that NASA and its contractors procure fasteners 
from a variety of sources which meet NASA and DOD specifications. In the 
manufacture of these fasteners the single element method of gauging is 
almost always used because it identifies, for the manufacturer, changes 
in the shape or quality of the threads and alerts the manufactu rer . to 
tool and roll wear before the fasteners get out of specification. It 
is to the manufacturer 1 s economic advantage to use this system since 
his rejection rate is decreased (i.e., product consistently is of 
high quality). In addition to gauging, the manufacturer invariably 
uses an optical comparator and does metallurgical and physical tests 
on the materials. This whole procedure, statistically applied, in- 
sures shipment of high quality fasteners at the minimum price consistent 
with that quality. 

After certification the user, i.e., NASA or its contractors, 
is primarily concerned with whether a fastener falls within an accept- 
able envelope of tolerances which can be measured quite rapidly with 
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go-no go gauges. If the fastener does not meet this test it is re- 
turned to the vendor for analysis and replacement. While this might 
appear to be an arbitrary procedure it is not, because the major factor 
affecting the failure of a fastener is the proper application of that 
fastener. Proper application is the facet of the problem that NASA 
and its contractors must control. Such factors as out of tolerances 
of parts, insufficient radii at corners, and improper torquing of the 
fastener more often are responsible for failure than are minor variations 

in the shape of the thread. We do not believe that one can document 
a single failure due solely to the threads themselves when they have 
passed a go-no go inspection. Failures almost always are due to 
improper application of the fastener and, in a few cases, to a 
material or metallurgical problem. The improper application of 
a fastener is prevented first by proper engineering design and review, 
and second by assembly inspection to see that the proper tolerances 
are present in the fastened parts and that the correct fastener and 
torque have been used. The metallurgical aspect of the problem is 
taken care of by chemical and metallurgical tests as a part of in- 
coming inspection. 

The experience of NASA and the DOD, over many years, has 
resulted in a statistical testing program on fasteners which NASA and 
its contractors observe. An analysis of these procedures has been 
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made by NASA and the Panel has reviewed it. In our opinion the pro- 
gram being followed by NASA and its contractors is appropriate and 
results in the proper degree of safety. We feel that this has been 
demonstrated by the performance of past NASA projects and by the 
immense experience of DOD. We further feel that should a fastener 
failure occur, it almost always will be traced to causes not controlled, 
or indicated, by the gauging systems. 

E. Crew and Range Safety 

During launches of the initial Shuttle missions, ground 
command and destruct capabilities exist on the External Tank and on 
each SRB. The Orbiter Main Engines cannot be shut down by ground 
comma nd. 

The crew cannot inhibit ground destruct, but are provided 
warning in advance of such action. Two ejection seats are provided 
for the crew. Use of ejection seats and of ground destruct devices 
after the initial missions still is the subject of considerable contro- 
versy. There is no precedent in previous programs, since the Shuttle 
system is a combination of launch vehicle and transport aircraft. 
Additional complexities result from the split responsibilities be- 
tween Shuttle program managers and national range commanders, and from 
the fact that later operational missions will carry "passengers" , for 
whom ejection capability probably would be impracticable. 
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It is the opinion of the Panel that planning for future 
missions should proceed with a fundamental ground rule that the cap- 
ability for destruct by range safety personnel and the capability of 
escape by all people onboard go hand-in-hand. 

Under current plans, adherence to this ground rule would 
mean that both ejection seats and destruct systems will be removed 
when more than two people are on board. It seems reasonable that 
removal of si ch de ’ices will be an acceptable risk after demonstration 
by a few successful flights, 

F. Response to Recommendations on Hydraulic Fluid 

The Panel earlier had recommended that the choice of hydraulic 
fluid be re-examined. 

On November 18, 1975, detailed presentations were made on 
the comparison of Yellow Oil (MIL-H-83282) and Red Oil (MIL-H-5606) 
for use as hydraulic fluids. These comparisons showed that Yellow 
Oil appeared superior to Red Oil in regard to flammability over a 
narrow temperature range and under certain physical conditions. In 
some other respects, such as corrosion and low temperature viscosity, 

Red Oil was superior. The decision has been made to stay with Yellow Oil 
due to its lesser fire risk. Precautions will need to be taken to 
keep out water (corrosion) and to avoid excessively low temperatures. 
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G, The Risk Management System and Aggregate Risk Assessment 


The Panel found a well-developed independent hazard identi- 
fication and risk assessment system, the members of which participate 
in program decision making. They provide formal reports to program 
management such as summaries of major safety concerns and of the 
actions being taken to assure management awareness. They have also 
just completed the initial mission safety assessment report for the ALT 
flights. 

The Panel gave particular attention to management control 
of both the total or aggregate risk on the program as well as the 
control of specific hazards. 

Aggregate risk has been defined by the JSC Safety Division 
as the sum of the effects of hardware and operational hazards upon 
the event, series of events, or mission, and is measured in terms 
of adverse impact on personnel or critical equipment. The manage- 
ment approach to this assessment is through the safety concerns pro- 
cedure. In this procedure all inputs to safety questions, including 
RID's are examined through System Level Hazard Analysis, in preparing the 
Shuttle level SAR, and screened by a Criteria Committee. They are either 
resolved through modifications or accepted as risks. They become part 
of the Safety Concerns Index and Safety Concerns Summary Report and as 
such are direct input to the Mission Safety Assessment. The latter 
becomes the true evaluation point for aggregate risk assessment. It 
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appears that this procedure is adequate from a management point of 
view to assure that all safety issues, once identified as such, are 
properly tracked and assessed. 

While major hazards are brought before management for their 
evaluation tie re is also the question of how you control minor risks 
and evaluate their impact on the level of aggregate risk being accepted 
in the program. This is no simple matter because management cannot 
review every decision and there are not the resources to work every 
"what if" situation. Therefore, the task team has been in discussions 
wich the safety offices on how to strengthen controls or audits in this 
area. As a result additional controls have been instituted. 

The Screening Board for the "Major Safety Concerns Document" 
has been passing judgment only upon those issues which are considered 
significant safety drivers and hence has not reviewed those having 
little impact. To perform a check of the disposition of these minor 
risks, the Screening Board has instituted a new procedure whereby 
it will include an audit of twenty minor issues at each Screening 
Board meeting to determine that they have been properly evaluated 
and dispositioned. If the audit reveals deficiencies, a more 
extensive investigation will be completed. It should be noted 
that Board membership has been recently revised to include KSC 
and MSFC representation. The method of assessing the total impact of 
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these risks is to track the safety issues for satisfactory closeout 
and to report on them in the Mission Safety Assessment Documents. 

These documents contain the Safety office's judgment on the acceptability 
of the "aggregate risk." This is a subjective, rather than quantative, 
evaluation of the cumulative accepted risks and actions being taken 
to resolve open items. 

The Panel met with senior program management to review their 

* 

approach in developing policies that determine the criteria for risk 
assessment and decision making at subordinate levels. These discussions 
also included senior managements approach to decision making at their 
level where it has been their judgment to accept risks. The Panel was 
both reviewing critical decisions that have already been made and re- 
inforcing management's controls to assure that safety not slip from 
its normal top priority because of cost and schedule pressures in the 
period ahead. Among the points made by management in these discussions 
were : 

1. Decisions involving any significant reduction in 
program requirements are reviewed by senior management to assure a 
judgment that is objective and sensitive to the requirements of public 
accountability. This is evidenced by the way the decision was made 
on contingency abort capability during the SRB burn period. 

2. Any decision on safety is a judgment on how far 
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to go to enhance or guarantee safety. There are specific areas 
where safety margins have been reduced but the management judgment 
is that the margins are still sufficient. 

3. Redundancy is not synonymous with safety because 
the complexity of a redundant system may introduce new ha sards that 
reduce the overall safety of the system. Excess redundancy, or appended 
protection systems, may cause engineers to produce designs that are not 
optimum but depend upon these additions to make them acceptable. 

4. The number of single failure points that could 
cause critical situations are not greater than in Apollo or Skylab, 

In fact, Shuttle has a higher safety factor because of the flexibility 
available to terminate the mission. 

5. Aggregate risk is hard to measure but the program 
is making a conscious effort to identify the magnitude. The Mission 
Safety Assessment document is one judgment. The program SR&QA people 
are preparing a form of aggregrate risk assessment associated with the 
program requirements review results. 

6. The ground test program provides the best assur- 
ance that we understand the system, its capabilities and limitations. 
While some changes have been made in the test program, piggybacking 
tests or deferring them, feasic requirements have not been compromised. 

7. The ALT flights and the subsequent orbital flight 
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program will develop confidence in the vehicle. They provide for 
moving into situations of greater risks in carefully considered incre- 
ments, so that the new risk on any one flight is acceptable or cannot 
reasonably be reduced further. 

III. ASSESSMENT AND RECOMMENDATIONS 

The Panel's judgment as to whether the total aggregrate risk is 
acceptable can only be arrived at over the course of time after care- 
ful study of the mission assessment documents and other pertinent 
data. Once the program is beyond the development flights and is in 
the operational phase, aggregate risk should be minimized by exper- 
ience and by the repetitive nature of the flights. Safety questions 
which the Panel considers significant are being worked, although the 
resources available may not permit in-depth investigation of all 
minor issues. 

The concept of re-usability introduces a new type of risk in 
the Shuttle program which was not encountered in previous, single-shot 
programs. For example, the TPS and the landing requirements introduce 
a number of safety problems for which experience is lacking. 

The final aggregate risk assessment should focus heavily on 
"what if" questions. 
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7.1 GROUND TESTS 


I . BACKGROUND 

The Aerospace Safety Advisory Panel has studied NASA philosophy 
pertaining to the entire Space Shuttle System, the "Space Shuttle Veri 
fication Program" and particularly the ground tests aspects of that 
Verification Program. Since the Panel has been in existence for 
several years and was involved in Apollo, Skylab, and the recent 
joint US-Soviet Apollo-Soyuz space flight, an inevitable comparison 
with these programs is made and, indeed, the uniform approach to test- 
ing reflects NASA experience. Past NASA programs have been eminently 
successful. Yet even NASA has suffered temporary failures, and the 
Panel was created as a result of a disastrous accident. The Panel 
is conscious that NASA faces a need for major cost reductions in 
order to stay within programmed costs for the Space Shuttle program. 
This cost reduction effort could impact on safety unless management 
review is thorough. A part of our examination focused on this 
possibility. 

The Panel is examining the Ground Test Program as it pertains 
to preparation for the Approach and Landing Tests, to the Orbital 
Flight Tests and eventually the operational orbital flights. Ac- 
tivity to date has concentrated on the pre-opera tional phases. The 
major effort has been to assist NASA in assuring the Space Shuttle 
System will fly safely as a space vehicle and as an aircraft when it 
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reenters the atmosphere to return for landing* In gathering data we 
have studied the planned Space Shuttle Verification Program, some 
individual ground tests, and the Hawkins Review to identify possible 
problem areas. Based on those studies, visits to Rockwell and the 
Johnson Space Center have been made. 

As previously indicated the Space Shuttle Verification Program, 
and specifically the ground test portion, is based on past highly 
successful NASA programs. Experienced NASA management has designed 
and tracked the program since the go-ahead for Space Shuttle was 
given in 1969. There is a strong reliance on this past experience 
and an excellent use of "lessons learned* " However, major NASA pro- 
grams in the past have dealt with Space Vehicles, one time flights, 
and better funding priorities. Moreover, past programs were experi- 
mental in nature as opposed to operational. Thus, new problems can 
be expected. 

The Ground Test Program is extensive. Obviously, the Panel can 
not examine all details, nor is that desirable or necessary. The 
Panel 1 s contribution should be to identify areas in which there are 
risks not faced in past NASA programs and/or areas in which previous 
difficulties have been encountered. Activities to date have identi- 
fied these priority areas for Panel examination. 
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II. OBSERVATIONS 


The Ground Test Organization appears adequate. The Test Organ- 
ization is sufficiently distinct from the organization which designed 
the Shuttle. Thus, testing objectivity should be assured. 

It also appears that there is a reasonable mix of space vehicle 
and aircraft experience. Rockwell is applying its considerable air- 
craft expertise to the Space Shuttle Systems, as well as its space 
experience. They realize the Orbiter must perform as a space vehicle 
and an aircraft. NASA has an adequate mix of Space experts and pilots 
who have flown and tested aircraft, including "lifting bodies" with 
shuttle-like characteristics. The astronauts are deeply involved in 
the planning and the ground test programs. Throughout NASA there is 
a reasonable balance of scientists, engineers, engineer-pilots, and 
other skills. Cost reduction efforts and ensuing personnel reductions 
have, as yet, not destroyed this core of capability. 

An adequate interface between Rockwell and subcontractors appears 
to exist. The Rockwell organization indicated a realization of the 
responsibility for monitoring tests conducted by subcontractors. Any 
test failure must be reported within 24 hours and Rockwell monitors 
compliance. This will be further checked by the Panel in visits to 
subcontractors . 

Because of funding constraints, some tests have been cancelled. 
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It appears, however, that management has provided an adequate review 
of the risks involved in each such reduction, 

III. ASSESSMENT AND RECOMMENDATIONS 

The Ground Test Program as originally envisioned had a larger 
scope of full scale model tests. In the reduction a greater reliance 
was placed on quarter (1/4) scale model tests. Additional cost re- 
duction efforts have led to some modification of 1/4 scale model tests. 
Also, some originally scheduled test conditions changed due to lack 
of availability of components. Planned full scale model tests were 
directly related to 1/4 scale model tests - designed to provide a one- 
to-one comparison in such areas as Influence Coefficient and Stiffness 
Characteristics. The lack of these one-to-one comparisons could have 
an adverse impact. Management is aware of these reductions and has 
assessed the risk. 

The Panel was concerned with the adequacy of structural testing 
prior to ALT and has inquired into this at some length. 

A. Structural testing of the Orbiter was compared to the test- 
ing of the Boeing 747, the Douglas DC-10 and the Lockheed 1011 (sim- 
ilar wide body aircraft). The two former were tested to a greater 
extent. The 1011 testing was more limited and would tend to indicate 
that the Orbiter test plan is adequate. 

B. ALT will not include thermal and ascent stresses which will 
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be encountered in orbital flights. Structural analysis prior to ALT 
assumes these stresses are present, thus creating a margin of safety. 
However, actual structural tests will not be completed prior to ALT. 

C. The Orbiter will be limited to 75% of structural loads 
(limiting weight and G- forces), during the ALT. The extent of ground 
tests in this respect is somewhat less than that to which wide body 
aircraft have been subjected prior to first flight. Perhaps require- 
ments for wide body aircraft are not appropriate for Shuttle. On the 
other hand, even higher standards might be appropriate. It is suggested 
that this be a subject for a later meeting of the entire Panel. 

There is concern about the testing for the Payload Bay Doors. 

It is clear that ft ilure to close these doors would preclude safe 
reentry. Many steps are being taken: 

A. NASA (JSC) is making a comprehensive study of the history 
of "jams." 

B. Conservative "overreach" is planned. 

C. Many tests are planned. 

D. EVA capability is being planned. Tools are being considered 
and an EVA working group exists. 

1. However, some payloads could preclude access by EVA. 

2. There is some indication that test payloads during 
early Orbital Flight Tests are being considered that could interfere 
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with manual back-up for closing payload bay doors. Recommend no such 
payloads be permitted during early OFT. 

No schedule margin exists in the event any major problems are 
encountered in ground testing. This is a success-oriented program 
and any major problems will impact dollars and schedules. This could 
induce shortcuts that have safety implications. The Panel should 
examine any major test failure and/or change in the test program in 
order to act as an additional safeguard to the normal NASA management 
review. 

The review of changes and deletions to the Ground Test Program 
appears to have been adequate to date. Further budget constraints 
or a major problem could induce more changes. The Panel believes the 
"point of diminishing return" must be close for changes in the Ground 
Test Program. Thus, such changes should be brought to the attention 
of the Panel as soon as they are defined. 
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7.2 GROUND SUPPORT EQUIPMENT 


I. BACKGROUND 

Planning for and acquisition of Ground Support Equipment are 
largely management problems as opposed to safety issues. However, the 
Panel notes that such equipment acquisition for various past programs 
traditionally has been the first to suffer in budget cuts. Moreover, 
planning is difficult in the early stages of a program, pending devel- 
opment of a firm maintenance baseline. Thus when cuts or changes are 
made, little time remains to adjust, and equipment deliveries often 
lag operational requirements. Some safety impact may then result, 
especially when ground handling and turn around are so dependent on 
specialized and sophisticated equipment. 

The planned turn around of 160 hours would be made more diffi- 
cult to attain if equipment were not available in the configuration 
and numbers required. 

Orbital Flight Tests could be hampered if Ground Support Equip- 
ment were not available. Delays in flight tests could be costly 
and/or could impact on safety if shortcuts are attempted. 

It appears prudent to examine whether the pressure to achieve 
the 160 hour turn around could create safety problems. 

If inherent safety problems exist in the interface between Ground 
Support Equipment and flight hardware, the Panel wishes to identify them 
and assure itself these hazards are given adequate attention. 
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II. OBSERVATIONS 


JSC and KSC are aware of the criticality of Ground Support Equip- 
ment and of their responsibility for integration. Both are develop- 
ing detailed planning for such equipment, considering life cycle re- 
quirements and hazard analyses across the interface with flight hard- 
ware. Both centers are working closely with the Air Force, which 
eventually will operate the Space Shuttle System from Vandenberg. 

Air Force personnel are on hand at JSC and KSC for this purpose. 

All seem to be aware that the 160 hour turn around forces better 
planning for support equipment. However, they assert that they are 
guarding against the possibility that the turn around requirement 
could influence shortcuts. They clearly state that the 160 hour 
turn around is a goal for the operational phase and that it 
will not be attempted in the orbital flight tests or in early opera- 
tional flights. 

Planning is tied to vendor (subcontractor) availability. If a 
vendor's production line is planned to be closed or reduced, JSC plans to 
review the need to acquire support equipment prior to any such action. 

Most testing during Orbital Flight Test and in later operational 
flights is planned to be accomplished on-board the Orbiter, as dis- 
tinguished from bench checks in a separate facility. Before attempt- 
ing to repair a black box the malfunction will be clearly identified. 
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III. ASSESSMENT AND RECOMMENDATIONS 


The Panel should continue surveillance of Ground Support Equip- 
ment and should examine the interface of some of the more critical 
items with flight hardware. 

Panel interest should focus initially on equipment required for 
auto land tests. (Subcontractor equipment is planned to be used to 
cover most requirements for this and Orbital Flight Tests.) 

The Panel also should follow changes and/or reductions planned 
for support equipment, assuring that NASA reviews of such actions 
consider all risks involved. (The NASA review process should equal 
that for changes in the ground testing program.) 

The Panel should question planning for Ground Support Equipment 
as it visits selected vendors (subcontractors) and NASA centers. 
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8.0 FLIGHT TEST PROGRAM 


Mr. John L. Kuranz 
Mr. Lee R. Scherer 
Lt. Gen. Warren D. Johnson, USAF 


8.0 FLIGHT TEST PROGRAM 


I. BACKGROUND 

The Panel undertook to study the Approach and Landing Test Pro- 
ject for the purpose of assessing the value and risks, in order to 
determine if programming and/or management system changes should be 
recommended to meet the primary test objectives* We believe these 
objectives to be valid; they are: 

A. To verify operational capability of the mated ferry config- 
uration. 

B. To confirm the subsonic aerodynamic characteristics of the 
Orbiter and verify piloted and automatic approach and landing concepts. 

C. To correlate wind tunnel data and flight data. An integral 
part of the Panel's study was the examination of potentially hazardous 
conditions associated with the design or operation of both the flight 
and ground systems. 

The Panel's most recent meeting with ALT management was May 24-25, 
1976 at JSC. This was preceded by the following activities: 

A. Met with ALT and Carrier Aircraft project officers at JSC 
on November 18-19, 1975. Detailed discussions on the 747, Orbiter 
101, mated configurations and most current test and analytical data 
supporting the ALT requirements and management decisions. 

B. Session with ALT project personnel at Rockwell International 
at Downey, California on October 29, 1975. Discussions related to 
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Rockwell International's participation and implementation of their 
role in the ALT project. 

C. Shorter but significant fact-finding sessions were conducted 
in Washington at NASA Headquarters on August 28, 1975 and at KSC on 
December 3, 1975. These served to provide an overview of the ALT 
project and indicated where further examination would be fruitful. 

D. Attendance at the Orbiter ALT Critical Design Review con- 
ducted at JSC on April 21, 1976. 

E. Panel review and task team sessions at JSC, February 9-10, 1976. 

These activities served to provide a well detailed and 

up-dated background for further fact-finding and gave an integrated 
perspective to the Panel. Included were major achievements that con- 
tribute to program management's confidence in achievement of ALT 
objectives . 

In addition to these face-to-face sessions, numerous program 
documents were supplied, including the ALT Project Management Plan 
which, together with the candid and helpful dialogue with program 
managers and engineers, allows the observations and assessments 
which follow. 

Before reading the section of this report covering observations 
and assessment, it is worthwhile to review the VLT Project background. 
ALT covers only a small portion of the Shuttle Verification Program. 
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Orbiter 101 and a modified Boeing 747 will be used for these tests. 
Orbiter 101 configuration will be oriented toward the subsystems re- 
quired for subsonic atmospheric flight. For the most part it will 
not include subsystems required for space operations. Although not 
carrying actual payloads, the Orbiter 101 will employ simulated pay- 
load structure adequate to demonstrate the effects of payload weight, 
center-of-gravity, and inertia on approach-and- landing performance. 

The ALT project includes vehicle ground tests before the first drop 
flight, preliminary flight evaluation, flying quality investigation 
of the launch combination, the separation and the Shuttle subsystem 
verification, and demonstration of the unpowered approach and landing. 

II. OBSERVATIONS 

The Shuttle program by nature of costs, and schedule constraints 
is a success-oriented program. This is exemplified by the assignment 
of a single Orbiter and a single carrier aircraft to this program and 
the use of the carrier for all future ferry- type operations. Major 
schedule perturbation would result from mishaps or system failures 
which could occur during the ALT process. The goals of the program 
appear to be proper, however, and the tight planning does not at this 
time imply any increase of risk to the crew during this test series, 
in ferry operations or in the orbital flight tests that follow the 
ALT. 
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It appears that the flight performance data and overall exper- 
ience to be gained during the ALT activities as currently planned do 
justify performing this series of tests. This viewpoint is based 
on an assessment of the risk of performing the ALT versus the risk 
in eliminating it. While the Panel believes that no single flight 
test requirement for ALT would in itself justify the program, we be- 
lieve that it is justified by the aggregate results. 

The continuing effort of Shuttle management to utilize the ALT 
project to its fullest has been a forcing function in establishing 
details of the ALT. For example, the configuration of the hardware 
and software is such that it will have the capability of meeting 
alternate configuration options, tailcone on, tailcone off, etc., 
depending upon the results of the first few captive and free-flight 
tests . 

Current plans now call for five tailcone on and three tailcone off free 
flights in addition to the original captive inert and inactive flights. The 

use of the tailcone on the Orbiter is the result of wind tunnel tests 
and detailed analyses which show a high degree of 747 tail buffet with 
tailcone off as the Orbiter is being carried on top of the 747. Sig- 
nificant effects of this buffeting are: 

A. Fatigue of the 747 tail area P. However, based on wind tunnel 
tests and analyses, the structural capability will not be exceeded. 
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B. The possibility that the mated configuration buffeting will 
adversely affect flight control, as well as the 747 crew's ability 
to accomplish required maneuvers. 

The ALT management system was discussed in some detail with 
both the NASA and contractor personnel during the fact-finding ses- 
sions. It appeared that the management system, including the reviews 
and information flow, has been effective in supporting the ALT pro- 
ject; however, there was some indication that not all current infor- 
mation had been communicated on a timely basis. The ALT CDR identi- 
fied this problem and adequate steps are being taken. 

III. ASSESSMENT AND RECOMMENDATIONS 

A. The Panel agrees that an adequate Approach and Landing Test 
Project is necessary to the orderly and safe development of the 
Orbiter y the ferry utilization, and other aspects of the overall 
Shuttle program, both ground and flight. 

B. The information gained from the ALT is important to the con 
fidence level required in making the first manned orbital flight with 
the full Space Shuttle system. The value of the ALT project though, 
is wholly dependent upon the results of each individual step within 
the project. A willingness to alter the test program flights as 
data is collected is expected, which will enhance the synergistic 
results from all tests. 
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C. As an aerodynamic vehicle, the Shuttle aircraft is new in 
many ways. It may exhibit some characteristics in various flight 
conditions that are not accurately predictable from wind tunnel or 
other data. The Panel believes that the flight control system, if 
provided with a cockpit gain variation, would add to the safety of 
the first flight tests of the Orbiter vehicle. The Panel is aware 
that the ALT CDR considered this problem; however, we suggest further 
review. 

D. If the Orbiter L/D is to be simulated when it is flown with 
tailcone on, the Panel recommends that extra caution be employed to 
assure there is sufficient attitude control available when drag de- 
vices are deployed. It is realized that currently such maneuvers 
are not planned. 

E. The profile or energy management for approach, flare and 
landing are different for autoland and manual control modes. Figure 1 
shows this difference. Effort is now underway to make the automatic 
and manual profiles identical. The Panel believes this to be essential. 
This will make it possible for the crew to follow the progress of an 
automatic landing, and, if necessary, accomplish the transition from 
automatic to manual with a minimum of exposure to error. 

F. Lifting body flight tests show that successful unpowered 
landings are best achieved following float profiles that are much 
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flatter than is now planned for ALT. The Panel recommends further 
review of the planning and training for the float segment of the ALT. 
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9.0 EXTERNAL TANK 
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9.0 


EXTERNAL TANK 


I. BACKGROUND 

The External Tank appears to be simple in concept. The liquid 
oxygen and hydrogen tanks are basically of a conventional design. 
However, the Tank has turned out to have significant engineering and 
manufacturing challenges. There are also the challenges of designing 
the fore and aft Orbiter attachment hardware, the external insulation 
and lightning protection systems. Thus a Panel member was assigned 
to this important area. 

Information on the status of the External Tank has been obtained 
through formal presentations at JSC and Rockwell International and 
through detailed review of the system at MSFC. Also, a visit was made 
to Martin-Marietta at Michoud earlier. In addition, a study was made 
of the Hazards Analysis Report, MMC-ET-RA01-A, dated October 17, 1975. 

II. OBSERVATIONS 

The hazard status summarized in October 1975 was: 

A. 58 hazards identified. 

B. 31 hazards submitted to NASA for evaluation. 

C. 2 residual hazards proposed for acceptance as continuing 
hazards by NASA. 

D. 25 hazards resolved. 

At the Quarterly Review on May 6, 1976, the list of hazards was 
revised to show the following changes : 


101 


sum 



A. 67 hazards identified. 

B. 33 hazards submitted to NASA for evaluation. 

C. 2 residual hazards proposed for acceptance as continuing 
hazards by NASA. 

D. 32 hazards resolved. 

It would be premature of the Panel to comment on the detail de- 
liberations among the contractors and the NASA Centers until firm 
decisions have been reached. It should be pointed out, however, that 
the classification above of "Residual Hazards" corresponds to the 
concept of a "Risk List" as suggested in 1975 by the Hawkins Committee 
for the entire Shuttle system. The Panel concurs in the concept that 
such a list should be the prime focus for reviewing the readiness for 
operation of a subsystem of the Shuttle such as the External Tank and 
commends the Shuttle management and Marshall for this method of moni- 
toring the hazards inherent in the system. 

Several hazards described in the above-referenced report should 
be addressed in subsequent studies. 

A. The breakdown of the hazards into the functional list selected 
caused a great deal of cross referencing. Some other breakdown might 
make a review by outsiders simpler and more productive. 

B. The problem of flammability of the Thermal Protection System 
in the presence of gaseous or liquid propellants suggests that a com- 
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plete review of propellant leakage and possible spillage may be of 
value. The toxicity of the polyurethane foam with a flame retardant 
needs more study and a systems decision. The addition of the flame 
retardant makes the residual ash and the gas emmision more objec- 
tionable, perhaps unacceptable, if a fire should occur. A fire may 
be avoidable and unlikely, but if one should occur, the questionable 
improvement of a fire retardant makes the insulation material in use 
more dangerous. The effectiveness of the retardant in case of an 
oxygen leak is questionable. There is the additional fact that the 
external, or bending, insulation of the External Tank is temperature 
sensitive. Any lengthy exposure to direct solar heating might degrade 
the integrity of the Thermal Protection System (CPR421). 

C. There was no discernable reference in the reports to previous 
NASA or contractor experience on launch vehicles which must have been 
subject to similar fire hazards. Solutions which were reached on such 
vehicles must be equally applicable to the External Tank and would be 
far more convincing to reviewers than some of the test programs or 
explanations which were offered to mitigate or remove the hazard. 

D. A series of lightning tests performed recently showed that 
the protection system problem is not yet solved; specifically, the 
bonding of multiple spray-on paint strips to a single path solid 
metal in the form of the vent line. In addition, the selection of 
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the proper spray-on conduction paint itself needs more test and studies. 

E. The occurrence of geysering during filling of the long suction 
lines has to be thoroughly tested, and the baffles inside the tank 
must be protected. Tests are still forthcoming. 

F. Large cryogenic separation fittings subject to water and 
nitrogen icing might be troublesome to guarantee a proper disconnect. 

To date, no ground separation test (even simulated) is planned. 

III. ASSESSMENT AND RECOMMENDATIONS 

It is the opinion of the Panel member who reviewed the External 
Tank status, that there are no insurmountable risks that cannot be 
adequately controlled for safe operations. It is suggested that the 
Panel participate through its individual members, in subsequent critical 
design or normally scheduled reviews and that the entire Panel be ex- 
posed to the final "Residual Hazards" which the program managers be- 
lieve should be accepted for first orbital flight and subsequent 
operations . 

A. The target performance data of the orbiter systems were 
quot »d and finalized as a point in time when finalized loads, aero- 
dynamic, thermodynamic, vibration, and vibro-acoustic, were in a pre- 
liminary state. Weights and propellants have only minor allowances 
for variations. Finalized date in all environmental fields will not 
be available until late in the test program and may result in a costly 
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redesign and, sooner or later, performance varia'ions may well result. 

B. Critical mechanical activities like the complex separation 
of the External Tank and Orbiter will be experienced for the first 
time under environmental conditions during the first orbital flight. 

If at all possible, it would be prudent to include an enviroamental 
separation ground test in the program. A flight failure can neither 
be observed nor measured and could well lead to a total loss of the 
Orbiter. 

C. A reasonable consistency in the quality of the External Tank 
in order to achieve maximum reliability and safety of the manned flight 
is best assured by continuing production. Shutdown and the subsequent 
reopening of the production line will interrupt the learning curve 

and compromise a reasonable, low price of the throw-away External Tank 
which is best achieved by an acceptable continuous production rate. 

The actual use of the External Tank is governed by entirely different 
aspects. A launch delay, weather, mechanical difficulties, payload 
availability, or other unpredictable events, will create a possible 
storage problem tor the External Tank. It would be advisable to assure 
suitable limited storage space for these large External Tanks. Storage 
conditions would have to be controlled to insure against degradation, 

D. Lightning tests have shown some weaknesses of the test speci- 
men representing the intended External Tank design. It is suggested 
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that a "Lightning Protection Commit tee," or "Study Group," approve 
the finalized lightning protection measures, not only for the launch 
pad, but for the vehicle in flight as well. These reviews should 
include proper bonding and prevention of static charges. 
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10.0 SOLID ROCKET BOOSTER 
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10.0 SOLID ROCKET BOOSTER 


I. BACKGROUND 

The technology of large solid rockets is well developed, and 
many operational units have been found to be reliable and trouble-free. 
The Panel recognizes the importance r f this element and the need for 
high reliability. The development program on this element is now reaching 
the stage for more intensive review. 

Several Solid Rocket Booster Quarterly Reviews were attended and, 
in addition, insight was gained by visits with the project management 
staff. Up to this date, contractor visits have not been made b. ~ause 
of the early status of the project. The last contract for the assembly 
of the booster is about to be let as of the date of this report. 

Nevertheless, the latest issue of the JSC Report #09990A published 
March 8, 1976, titled "Major Safety Concerns of Space Shuttle Program" 
lists two open safety concerns , INTG-11 and INTG- 12 > pertaining to the 
Solid Rocket Booster. 

INTG-11 - "A Nozzle Extension Separation Failure" will be dis- 
posed of prior to the first launch. 

INTG-12 - "Ignition Overpressure" Completion of a comprehensive 
study is scheduled for July 1976. It is evident that late adverse 
study results might have a considerable impact on cost, performance, 
and schedule. 
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II. OBSERVATIONS 

Despite the diligent application of available experience and 
data, the project recognizes major uncertainties in design criteria. 
Lift-off loads, thermal environment and changes will have an impact 
on cost, schedule, and performance. Twelve concerns were recognized 
by project management and discussed in detail. To obtain a conclusive 
picture of the progress made, it was suggested by the Panel members 
that at following reviews, the status of the above concerns, as well as 
others, be monitored. 

III. ASSESSMENT AND RECOMMENDATIONS 

A. The auxiliary power unit supplying oil pressure to the actu- 
ators of the boosters uses as its prime mover a hydrazine-driven turbine 
to operate the pumps. The exhaust stacks of all four units located in 
both boosters allow the entry of sea water into the catalyst bed of the 
fuel system after splashdown. To date eleven (11) mission duty cycle 
tests of the unit have been completed during which the catalyst bed 

was exposed to salt water for ten (10) hours each cycle. After retrieval 
from the water, the bed was flushed out and successfully fired in all 
cases. The "reconditioning" system must assure adequate flushing is 
accomplished after each and every salt water exposure. 

B. A molded fiber-reinforced plastic cover of adequate strength could 
be designed and produced to enclose the entire AP'J for protection against 
sea water duncking. The savings in the long run could easily offset 

the initial cost. 

The Panel will be devoting increased attention to the Solid 
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Rocket Booster system during the year ahead. Hazards associated with 
Shuttle system assembly in the VAB at KSC will be included in such 
surveillance. 
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